UPDATE from Redhat: Red Hat has become aware that the patch for CVE-2014-6271 is incomplete. An attacker can provide specially-crafted environment variables containing arbitrary commands that will be executed on vulnerable systems under certain conditions. The new issue has been assigned CVE-2014-7169. The patches are being worked upon conjunction by upstream developers as a critical priority. We will keep you updated regarding this. You can keep track on https://security-tracker.debian.org/tracker/CVE-2014-7169

A vulnerability named CVE-2014-6271 was made public yesterday which was discovered last week. This vulnerability in bash lets an attacker to execute arbitrary code if he is allowed to pass commands to bash. As bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell.

Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.